[liberationtech] DNSSEC to the rescue. Was: Snakeoil and suspicious encryption services

Aymeric Vitte vitteaymeric at gmail.com
Wed Jul 23 03:34:12 PDT 2014 

So let's reexplain: those that do not trust the current mechanism of 
Peersm to load the code (which includes already some protections) and 
fear a mitm attack can get it through other channels and run it inside 
their browser.

Other channels means: other sources that provide the code with its hash 
(hopefully the same one!!), Peersm code can not fit in tweets but easily 
fits in websites, links, torrents, anonymous networks, potentially you 
could just use Peersm itself to check it (upload the code with Peersm 
app from your disk to your browser, check the hash, decrypt/encrypt it)

Asking every user to check the whole code would be ridiculous, among the 
sources someone skilled enough might have done the job and can certify 
that the related code is OK for other users.

"Skilled enough" --> a serious js dev, unlike what you seem to state, 
it's really easy to see what a js code is doing whatever obfuscation 
means or strange thing the issuer have used/put in it

Now you seem to mean that 400 kB is big for Peersm, you probably don't 
realize all what it is doing (Peersm protocol, Tor protocol, SSL/TLS, 
certificates, crypto, RSA, DH, etc) for a so small code compared to 
other technos doing the same with dozens of MB at minimum.

Regards,


Le 23/07/2014 02:20, Tony Arcieri a écrit :
> On Tue, Jul 22, 2014 at 4:38 PM, Aymeric Vitte <vitteaymeric at gmail.com 
> <mailto:vitteaymeric at gmail.com>> wrote:
>
>     And checking what is doing a 400 kB js code is trivial for any
>     serious js dev
>
>
> This assertion is completely ludicrous, especially when you're talking 
> about trying to find a potentially stealthy malicious payload in 400kB 
> of code. JavaScript benefits confusers and enables all sorts of 
> obfuscation techniques which can't be easily undone through simple 
> static analysis.
>
> Asking every user to verify the integrity of 400kB of JavaScript code 
> by manual review and searching for backdoors is a complete nonstarter 
> when it comes to practical solutions to detecting compromise.
>
> TweetNaCl, by comparison, fits in 100 tweets.
>
> -- 
> Tony Arcieri
>
>

-- 
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140723/b211c51d/attachment.html>

More information about the liberationtech mailing list